It's an old cliché that most of the risks in information security come from within – you are more likely to be damaged by an ignorant or disgruntled employee than an outside hacker.
But the point has taken on new force with the recent growth of instant messaging (IM) in the workplace.
It seems that, all of a sudden, employees have discovered a whole new way to communicate which is faster and more immediate than email, and less trouble than using the phone. IM is the new way for workmates to chat while apparently carrying on with the rest of their work. And, so far, it is pretty much unregulated, unprotected and open to all the same security dangers that we thought we locked down with email.
As such, IM represents the next real big headache for infosec departments across the world.
The 2004 Workplace Email and Instant Messaging Survey, a recent study sponsored by the American Management Association and the ePolicy Institute, illustrates the extent of the problem perfectly. In a sample of more than 800 corporations, it found that 31 percent of employees use IM, and of these, 78 percent use a free IM client that they have downloaded from MSN, AOL or Yahoo!.
Although IM is acknowledged as a powerful new communications tool, it opens up huge opportunities for time-wasting and more dangerous activities. According to the survey, most workplace users engaged in personal IM chat, with 19 percent of them sending attachments, 16 percent sending jokes, gossip and rumors, nine percent sending confidential information, and six percent sending content that was sexual or downright pornographic.
While the same could be said of email, most companies have an email policy and some tools to enforce it. IM, however, remains largely uncontrolled and uncontrollable.
One-quarter of the organizations surveyed reported they had fired an employee for violating email policy, compared with 22 percent in 2003 and 17 percent in 2001. But IM has crept in by the back door, often without companies even being aware of its use by staff. In the survey, only 20 percent of companies had any policy for IM usage. Confidential, abusive or illegal content could be flying around the network – and to the outside world – with the central IT department having no idea.
The reason this matters is that the courts now view all electronic communication as admissible evidence in court cases. "From the standpoint of content and retention, employers should view IM as a form of turbocharged email, creating a written business record that must be monitored and managed," warns the report. "Employers are advised to take control of IM risks today, or face potentially costly consequences tomorrow."
However, the AMA study shows that few companies are aware of the dangers. "The fact that 37 percent of respondents do not know, or are unsure about, the difference between an electronic business record that must be retained, versus an insignificant message that may be deleted suggests that employers are dropping the ball when it comes to effectively managing email and IM use," says Nancy Flynn, executive director of the ePolicy Institute. "For financial services firms and others in regulated industries, the failure to properly retain email and IM can – and regularly does – lead to six-figure fines, criminal charges, civil lawsuits, and damaging publicity."
The report found that only 11 percent of organizations employ IM gateway/ management software to monitor, purge, retain, and otherwise control IM risks and use. With so many employees using free IM services at the office, organizations are vulnerable to a growing array of IM-related legal, compliance, productivity, and security threats.
Employers do a somewhat better job of monitoring employee email than IM, with 60 percent using software to monitor external email. But only 27 percent monitor internal email conversations between employees.
"Management's failure to check internal email is a potentially costly oversight," says Flynn. "Off-the-cuff, casual email conversations among employees are exactly the type of messages that tend to trigger lawsuits and arm litigators with damaging evidence."
This is already causing problems. The report reveals that one in five employers have had employee email and instant messages subpoenaed in the course of a lawsuit or regulatory investigation, compared with 14 percent last year.
Another 13 percent have battled workplace lawsuits triggered by employee email. Yet, in spite of the fact that email and instant messages are now a primary source of evidence, employers remain largely ill-prepared to manage email and IM risks.
The industry's experts admit this is a hard one to solve, especially since IM companies are constantly changing their message signatures and protocols to get past firewall defences.
"IT teams can try to close down ports and monitor Port 80 traffic. It can be blocked, but only in a very labor-intensive way," says Derek O'Carroll, head of IM Logic in Europe. "IM clients sniff the firewall and will switch ports to get through it. How can IT identify IM protocols coming through Port 80, and identify IM client protocols when the IM companies are continually changing them every few months?"
In most cases, companies are not even aware that IM is taking place. O'Carroll cites one large organization that insisted it had locked down all its desktop machines to stop IM. Using IM Logic's detection tool, it discovered IM clients running on 400 out of a population of 1,000 machines.
"IM has enjoyed phenomenal growth in the past two years. Compare it with the growth of PCs and email – 16 years to get to 50 million PCs, six years for email, and two years for IM to reach 50 million," he says. "The figure now stands at 280 million for consumer-based IM."
O'Carroll suggests that rather than trying to block IM altogether, organizations should embrace it as a powerful productivity tool and should try to run it securely.
Others are not so sure. Eric Chien, a senior researcher for Symantec, says it is unwise to use free IM clients, because they communicate unencrypted via servers outside the network.
If public networks must be used, then do not send creditcard information or attachments, he advises.
Far preferable, though, is to run everything through a centralized server and keep the logs in a secure place. "It is just as securable as email, " he says. "But using free IM is high risk."
The simple truth is that IM is here to stay, and we have to find ways of managing it. "The great thing about IM is that it is instant, which you don't get with the phone or email. And you still have control of the dialog," says Benjamin Ellis of Juniper Networks. He believes a new generation of workers, which has grown up with computers, is more ready for IM than previous generations.
"Email doesn't lend itself to real-time conversations," he says. "By the time I've looked up someone's phone number, the phone's rung and they have picked it up, I could have had a three-phase interaction on IM. It is fast and efficient, and lends itself to business use. It is also very low cost, and it doesn't matter where I am working, it gives me a high degree of mobility."
He concedes there are security fears, but insists the technology is there to help control it.
As companies learn to love IM, it will deliver benefits. Email traffic will come down, and IM will also provide a convenient link out to business partners. But, as Ellis says, companies need to put in place firm policies that they can also enforce, such as allowing conversations with partners, but not the transfer of any files.
The evidence so far is that most organizations still have some way to go before they can feel in control of IM.